In this video, we cover Lab #1 in the JWT Attacks module of the Web Security Academy. This lab uses a JWT-based mechanism for handling sessions. Due to implementation flaws, the server doesn't verify the signature of any JWTs that it receives.

To solve the lab, modify your session token to gain access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter.

▬ 🔗 Links 🔗 ▬▬▬▬▬▬▬▬▬▬

Notes.txt document: https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/jwt-attacks/lab-01/notes.txt

Python Script: https://github.com/rkhal101/Web-Security-Academy-Series/blob/main/jwt-attacks/lab-01/jwt-attacks-lab-01.py

Web Security Academy Exercise Link: https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature